RiskLogic as platinum sponsor of BCI Australasia Summit 2018
BCI Australasia Summit 2018 sponsorship

RiskLogic is pleased to return as a platinum sponsor of the BCI Australasia Summit 2018 for the 8th consecutive year. This year, in collaboration with Clearview, we will be exhibiting our innovative business continuity & crisis management software, as well as support our New Zealand Regional Manager – Brad Law, as he presents ‘The water crisis. Not enough or too much!’ – a compelling topic on the subject of climate resilience.

The BCI Australasia Summit 2018 is an event which focuses on business continuity and organisational resilience challenges & opportunities. The event is currently in its 12th year and is widely acknowledged as the principal Business Continuity and Resilience conference in the Australasian region. The summit is attended by experts and practitioners in Business Continuity, Crisis management, Emergency Management, Crisis Communications, Emergency Response, Organisational Resilience, IT Disaster Recovery, Cyber Security, ITSCM, Risk Management and Security.

A platinum sponsorship gives RiskLogic the opportunity to align itself with a trusted global BCI organisation and showcase our services and products to a targeted audience. The sponsorship also gives credence and recognition to the practice of business continuity and the important role it plays in ensuring an organisation’s ability to continue operations in the event of a disruption.

Over the two day event, RiskLogic will be exhibiting BC-3, powered by Clearview and CQCommand. BC-3 is a multi-award winning, web-based business continuity tool that allows organisations to effectively command, control and coordinate all of their business continuity capabilities. Its sophisticated functionality reduces the time and cost of managing resilience plans whatever the size of your organisation. CQCommand is a cloud-based crisis management tool. With its intuitive user interface, CQCommand enables the crisis leadership team to proactively manage crisis events across the organisation, develop & monitor situational awareness within the online and offline media and collaborate & communicate with their team, suppliers and customers. Both BC-3 and CQCommand are software products that, if used hand in hand, increases an organisation’s resilience capabilities and empowers them to rise to the challenge in the event of a major disruption.

The BCI Australasian Summit 2018 will be held on 30th – 31st July 2018 at the Sydney Masonic Centre in Sydney CBD.


Read More
Rottnest Channel Swim
The 2018 Rottnest Channel Swim through the eyes of a Resilience Manager.

Attracting seasoned and experienced resilience consultants sit at the core of every successful consulting company. The RiskLogic team are not only employees of the organisation, but they are part of the family – so much so that consultants live and breathe resilience outside of the work environment. Meet Henry Shepherd. Henry is a Manager at RiskLogic and even during extracurricular activities, Henry’s mindset is ‘always on’ with Crisis Management.

In late February, Henry participated in the Rottnest Channel Swim with approximately 2,500 other swimmers. Organised by the Rottnest Channel Swim Association (RCSA), the Rottnest Channel Swim is a 20km swim consisting of solo, duos and teams of four. The swim starts from Cottesloe Beach (WA) with the finishing line at Rottnest Island. Swimmers could be battling big swells, strong currents, stingers and even sharks – it’s certainly not an event for the faint-hearted! It so happened that during this particular event, a great white shark decided to join in on the fun. The chaos that ensued saw hundreds of swimmers (including Henry, our resident swimmer) withdrawn from the race. In addition to the visit from the fishy swimmer, other incidents occurred during the day resulting in the RCSA implementing their safety plan.

What happened next was expected of a Resilience Manager. Henry went into problem solving mode. With an eagle eye, Henry assessed and observed the situation from his point of view and in typical resilience style noted the challenges, what worked well and what critical steps could be improved. These observations and learnings were then brought back into the office and used as case studies for clients within the same industry. Like all Resilience Consultants at RiskLogic, Henry is ‘always on’. A strategy that has enabled Henry to continually grow his knowledge and experience within the field of Business Resilience.

Here is a summary of Henry’s observations of the Rottnest Channel Swim:

The Challenges

  • Potential shark attack
  • Multiple withdrawals from the race due to choppy conditions.
  • Swimmers continuing past safety markers unsupported.
  • Support staff assisting support crews finding their lost swimmers, all within the first 1500m.
  • Capsized boats, sinking boats and multiple boats with engine failures.
  • Flares being shot and Emergency Position Indicating Radio Beacons (EPIRB) being activated.
  • Multiple medical evacuations, including hypothermia, nausea and exhaustion. Even a broken finger nail was reported over the radio.

What worked Well

  • Triaging Tasks – Safety Staff addressed the incidents as they occurred. Whilst the shark was a genuine concern, it would only be a chance occurrence. The priority is to respond to the incident that has already occurred, whilst considering possible events, i.e. assist the boat with engine failure and medically evacuate casualties, whilst monitoring the shark.
  • Control Measures and Response Strategies – There were clear safety measures in place with provisions being made for including lost swimmers and shark sightings.
  • Pre-race Brief – RSCA delivered a well-presented brief and video pre-race and at organised meetings. The video was also published and made available on the website. This allowed for local, interstate and international competitors. The brief provided clear instructions and set expectations for swimmers and support crews.
  • Post Incident Report – within 2 weeks of the race finish, a questionnaire was sent to all swimmers and support crews requesting feedback on the race. This questionnaire included a tailored specific set of questions to identify points regarding the decision around withdrawing swimmers.

Room for Improvement

Whilst the RCSA did a great job in controlling an incredibly complicated and dynamic environment, there are always areas for improvement.

  • Communications – The single dedicated VHF channel meant those with genuine needs for assistance were endangered by the ‘congestion’ of the radio with unnecessary ‘chatter’ in response to the shark sittings and withdrawal of swimmers.
  • Situational Reports – It can take time to make decisions. It is important to keep everyone informed when decisions will be made, or when updates will be provided. This will prevent frustration and confusion as to what is happening.

Lessons Learned

Was the race a success? Even as a withdrawn swimmer, I certainly think it was. Was the right decision made? I firmly believe so. Had there been a shark attack and no action taken, it would be potentially the end of one of the greatest swimming events.

So, what did we learn about having a plan?

  • Include a detailed Communications Strategy which:
    • Indicates time frames for Situational Reports.
    • Consider having two radio channels; 1) a Race Net for updates on conditions, assisting lost swimmers, and 2) a Safety Net, for medical emergencies and boats in trouble
    • As staff personnel were positioned along varying legs of the race, consider tools which could improve the rate of communication. ie CQCommand
  • Ensure you have identified likely threats and prepared appropriate response strategies. This will enable efficient decision making and reduce pressure in an already stressful environment.
  • Always conduct a Post Incident Report. Learn from previous events and always look to improve.

I’ll be back in 2019 and making sure I cross the finish line.

~Henry Shepherd~

Henry is a Manager in RiskLogic’s business resilience practice. Henry has over eight years of experience working throughout Australia in a wide variety of industries including the government, legal, construction, retail and hospitality. Henry is responsible for supporting, implementing and managing all aspects of the Business Continuity lifecycle.

Read More
Internship at RiskLogic
RiskLogic providing interns with practical experience

When an organisation is in growth mode, it’s quite common for the HR department to be buzzing with activity as they sift through job applications to find the ideal candidate – one who is experienced and would fit into the team dynamic. It’s also quite common for the HR department in these cases to dismiss expressions of interest from individuals who are less experienced and looking for opportunities in the form of internships. RiskLogic takes a different approach, believing everyone has to start somewhere and is an advocate of internships.

Cultivating a work environment which encourages innovation and placing people first, RiskLogic supports Intern programs developed by local and international educational institutions. There are clear advantages for RiskLogic and the intern to embark on this program together. For RiskLogic, an intern can provide a fresh perspective with new ideas and we also get an extra set of hands to assist with projects. In return, Interns get an opportunity to be hands on within the field they are studying as they are provided with a practical setting to apply theoretical knowledge – giving them a chance to use and develop their skills.

Meet Magnus Josias – a 25 year old student studying Risk and Emergency management at Copenhagen University College. As Magnus delved deeper into the study of Risk and Emergency Management, he developed a strong interest in the world of business resilience. “I find it fascinating how perception of various threat environments can be completely different depending on industry, culture and country”, says Magnus. Magnus set a goal for himself to secure a role within the industry where he could work with clients across different sectors and countries. With this goal in mind, Magnus decided to complete an internship as he believes it provides the greatest learning experience. He relished the notion of being presented with constant challenges and ability to develop fluid skills that would adapt to a dynamic work environment.

Although Magnus lives in Copenhagen, his love for travelling and learning different cultures saw him explore opportunities for work experience abroad. Magnus made contact with a number of resilience organisations throughout Australia, USA and UK. In an industry that is heavily compliance driven and filled with administrative work, RiskLogic stood out with its modern and innovative approach to business resilience. RiskLogic’s strategy includes investments into inhouse development of crisis management and emergency management software and is also the provider of the Clearview Business Continuity software in Australia and New Zealand. It’s clear that the tech space RiskLogic has established would appeal to a tech savvy millennial with a strong interest in Risk and Emergency management. Hence, Magnus made the decision to travel halfway across the world to complete his internship with RiskLogic.

With offices in Sydney, Melbourne, Brisbane and New Zealand, RiskLogic developed a tailored 6 month intern program for Magnus allowing him to rotate and work with the team in each state. RiskLogic provided Magnus with a peer to peer learning experience and also gave him the opportunity to develop various incident and scenario registers, the creation of run sheets for exercises, development of Incident and Business Continuity E-learning modules and plans – essentially growing his experience in business analysis, strategy development, training and client engagement.

“The work experience at RiskLogic has been incredibly valuable to both my study and my future career. I have been introduced to tools and skills that is impossible to duplicate at university.” Says Magnus.

RiskLogic currently has a number of local interns looking to develop their skills within the tech space. If you are interested in an internship at RiskLogic, email Iolanda Hazell at

Read More
GDPR | General Data Protection Regulation
The General Data Protection Regulation and what it means for Australian organisations.

What is General Data Protection Regulation?

Commonly referred to as the GDPR, the General Data Protection Regulation is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). With these primary objectives in mind, it also addresses issues in the exporting and protection of EU data internationally. Their intentions look to set the benchmark in personal data protection and has been well received by officials as a positive movement to more control for its citizens and residents.

The GDPR becomes enforceable on 25 May 2018 and will override the Data Protection Directive 95/46/EC adopted in 1995.

Why is the GDPR being introduced?

The economic value of personal data has increased dramatically in the last 8 years and brought with it issues around significant data protection. The GDPR ensures stronger digital rights for its citizens in an age where cyber threats are the third most common crisis event.

Would the GDPR affect your organisation?

A breach of the GDPR could result in major fines for Australian organisations with trade links to Europe. Ie:

  • An Australian organisation with an office in the EU
  • An Australian organisation that employs EU citizens
  • Australian Education establishments with EU students
  • An Australian organisation whose website targets EU customers. eg, enabling EU customers to order goods or services in a European language (other than English), or enabling payment in Euros
  • An Australian organisation whose website mentions customers or users in the EU
  • An Australian organisation that tracks website visitors from the EU and uses data profile techniques to profile individuals to analyse and predict online personal preferences, behaviors and attitudes

A spokesperson from IAG and McAfee both agreed that Australia is not prepared for major changes in the GDPR.

What does your organisation need to do to comply to the GDPR?

If you have digital data or connection to any European entity or citizen (whether it be receipt details or client data in your CRM), you are subject to these laws.

Should a data breach occur within your organisation, you must report the data breach to the GDPR within 72 hours. A data breach could be as little as the release of an individual’s IP address. Failure to report this breach could result in a fine.

The GDPR has confirmed that the minimum fine for failure to report a breach is $10,000,000 Euros or 2% of the organisation’s annual earnings (whichever is higher). This covers a baseline breach. It will then adjust to $20,000,000 Euros or 4% for more serious breaches.

Management Consultant Firm Oliver Wyman predicts that the EU could collect as much as $6 billion in fines and penalties in the first year.

What’s next?

When the regulation goes live, many predict that the GDPR is likely to make an example of companies that do not take data breaches as seriously as they should. They are likely to crack down hard in the first 3 years and set expectations internationally.

It’s important to remember that most cyber-attacks will happen regardless of measures that are put in place. The most important thing is how you react after a cyber-attack has occurred – you may need to go into Crisis Management mode to ensure business continuity. Having processes in place to deal with the crisis, report the breach to the GDPR, present your solutions to remedy the crisis and implementing preventive action should now be your priority.

If you would like more details on this new regulation, RiskLogic has a team of experienced consultants who can provide support. Email us at or call 1300 731 138.

Read More
Business Growth
RiskLogic on track for significant growth

As the threat environment continually changes at home and abroad, organisations are recognising the value of preparing for the worst. At the forefront of this forward-thinking movement is RiskLogic, global leaders in Business Continuity, Incident Management and Crisis Management.

The past few years have seen RiskLogic’s consulting and technology practices experience double digit growth, year on year, and 2018 is set to be the biggest year yet.

“In Melbourne alone, we are expanding at a rapid pace to meet the demands of our growing client base, attracting some exceptional talent and working on some very interesting projects”

says Regional Manager Cheryl Hambly, who’s Melbourne team now covers Victoria, South Australia and Tasmania. With the Melbourne team recently outgrowing their office and moving into larger premises on Collins st in the Melbourne CBD, growth continues with a number of exciting roles currently being advertised.

Not only has RiskLogic experienced substantial growth across the Melbourne, Sydney and Brisbane offices, but the demand for high quality, practical Incident Management, Crisis Management and Business Continuity services continues to grow internationally, especially throughout Asia Pacific. RiskLogic’s New Zealand practice is booming and projects have recently been completed in Brunei, Singapore and India.

At RiskLogic, we believe that people are the essence of every organisation the reason behind every success story. Our purpose is to help empower people to confidently tackle any challenge. With the right tools, training and experience, we help our clients navigate even the worst situations, safeguarding what’s important to them. It is our way of helping to build A Resilient Future. Our values of People, Integrity, Passion, Innovation and Performance guide everything we do.

If you are interested in joining our growing team in Melbourne and share our purpose and values, please send your CV to

Read More
RiskLogic NSW team
Capability and delivery of RiskLogic NSW team

Evident through its growing client base, RiskLogic has firmly established itself as a leading dedicated provider of resilience solutions throughout Australia and New Zealand. With over 10 years’ experience in developing and implementing bespoke tailored programs to organisations across various sectors, RiskLogic has built a strong team of confident, experienced and extremely passionate & talented individuals with the capability to implement and deliver simultaneous training and exercises.

This was demonstrated on Tuesday 23rd January when the RiskLogic NSW office resembled a beehive with a flurry of activity taking place on and offsite.

Resilience Regional Manager, David Bird and Resilience Specialist, Madeleine Gin were in Newcastle with a Superannuation client delivering a Crisis Management Team training, CQCOMMAND overview and user training session.

Resilience Senior Manager, Trent Clouston implemented a critical incident management exercise for a Federal Government Agency. The exercise was supported by offsite exercise inputs from Resilience Specialist Leon Israel and Team Support Amy Mallick.

Resilience Manager, Henry Shepherd conducted a crisis management workshop/review for a national freight company. The review consisted of interviews to identify potential gaps within the organisations’ gap analysis report as part of their Business Continuity Program.

What these activities highlight are the capabilities of the RiskLogic NSW team to take on multiple projects and deliver seamless exercises and workshops. RiskLogic is on a trajectory of growth, with a dedicated team for each region across Australia and New Zealand offering services in Business Continuity Management, Crisis Management and Incident Management – supported by CQCOMMAND – an online crisis management tool and BC-3 – the online business continuity management software.

Read More
Balanced work and family lifestyle
Christmas Party for RiskLogic’s children

It’s easy to spruik that a company has a strong culture & value around its people. But it may be completely different when companies are expected to turn theoretical value into true practice. Businesses can oftentimes get so busy throughout the year that planned social events can often be overlooked or placed lower down the list of priorities.

At RiskLogic, Joint Directors Dan Shields and Josh Shields places a lot of value on their people and these values are practiced throughout the year. Established in 2005, RiskLogic has been on a trajectory of exponetial growth over the last few years, with the team growing rapidly – and still growing. The RiskLogic directors are firm believers that an organisation’s success is a combination of having a clear and meaningful purpose, strong values and highly aligned and motivated people who are the best in the industry.

Josh and Dan are advocates of placing people first and the results will follow. They do this by encouraging team members to have a balanced work and family lifestyle, interlaced with social events throughout the year and finishing 2017 with a Christmas party for children of the RiskLogic family.

The children enjoyed an afternoon of xbox and Wii, cupcake decorating, colouring in, face painting and pool, finished with a visit from Santa Claus.
Exhausted and loaded with sugar, the children went home with parents who could finish the day with an early mark. Merry Christmas to all our clients, friends and family. Stay safe over the holidays.

Read More
Leading in a crisis | leadership styles
Organisations under pressure: leading in a crisis

Compared to business as usual, a crisis presents a unique and challenging decision-making environment. Whether it’s a natural disaster, hostage scenario, malware attack or other crisis, leaders and team members may be under enormous psychological pressure when managing through a major incident. In such extremes, strategic leadership is crucial, particularly as the leader is unlikely to have had direct experience of the crisis beforehand.

Two different leadership styles

There are two different leadership styles that may apply when managing a major incident. These being task-orientated and people-centred leadership. Neither one of these leadership styles outweigh the other in importance. Instead, depending on the crisis and incident, the appropriate leadership style will need to be invoked.

The task-orientated leadership style is focused on strong hierarchies and task-orientated behaviour to drive outcomes. This leadership style takes command and control of the situation by determining specific tasks and scope of work for their alternates. She or he determines what, how, where and when the work must be done .

The people-centred leadership style places greater emphasis on their relationship with their team members, encourages two-way communication and harnesses ideas from the team. Employees often open up to leaders who are human, who have made mistakes and learned from them. ‘When you capture the hearts and minds of people, let them have their say in some of the decisions, they will have greater buy-in and be more willing to strive for excellence,’ says Melbourne RiskLogic Senior Manager, Gary Vogel.

Choosing the best crisis leadership style for your organisation

Crises are unpredictable, chaotic and can escalate quickly. Leaders must deal with issues that are difficult to understand and which seriously threaten the viability of the organisation and possibly even the safety and welfare of staff and clients or customers. ‘During a crisis, people are often panicky and in need of assurance that someone strong is in control. Task-orientated leadership using the command and control approach has been used effectively in these situations as it provides strength, helps assure the team, and galvanises their efforts,’ confirms Vogel.

“An inspirational leader is one who quickly, calmly and decisively controls a crisis situation”

‘With great power comes great responsibility, and mangers are expected to lead – especially through times of difficulty. A good leader will change their leadership style based on the situation,’ adds RiskLogic’s Brisbane Regional Manager, Simon Petie.

A people-centric leadership style may well be better placed for the business as usual environment, or when reviewing and learning from the crisis and preparing for the next one. For a people-centred leadership approach to be effective during the crisis, the workforce must be fully aligned in its values, direction and drive for success.

‘The maturity of the crisis management team is a critical consideration in terms of how the leader leads during a crisis,’ says RiskLogic’ Melbourne Regional Manager, Cheryl Hambly ‘If the team has extensive experience working together in crisis mode, the leader may be able to take a more supportive rather than directive role. However, in reality this may be difficult to achieve. In a less mature team, as is often the case, team members will need a higher level of direction to set objectives and respond to the situation,’ adds Hambly.

In a crisis, there is often simply no time to consult with the team about what to do. If you hesitate as a leader, if you delay a decision in order to form a committee to discuss your options, you may miss the decisive point that will tip the balance between success and failure, or possibly even life and death.

Becoming a resilient organisation

To be a resilient organisation, leaders must be able to adapt to and successfully steer the organisation through all kinds of disruptive changes. It’s not enough to simply train your managers to be decisive or to tell your staff the location of emergency exits and assembly points.

If the command and control leadership approach is counter to your organisation’s typical approach, working through times of stress and challenge may be exceptionally difficult. Leadership in a crisis might not be within the skill-set of your organisation’s senior leaders – a leader who is highly successful in normal business may not be able to lead well in a crisis.

The only practical way of preparing leaders for a crisis is a rigorous, realistic and regular training program, which allows leaders to examine all the implications of those challenging, yet plausible ‘What if…?’ scenarios. Key employees need to be trained to work within the crisis management plan to help ensure they respond in the most appropriate way. A well-managed communications strategy that ensures accurate and timely communication is also critical to instil calmness, authority and confidence in all those affected by the crisis.

Read More
cyberattack hacking cyber cost
What a Cyberattack May Cost You

Editor’s note: this article was written last year in conjunction with RiskLogic’s Cyber-Awareness campaign. We are re-publishing for 2017’s Cyber awareness month. 

The Business Continuity Institute brings you another year of stats to help really put into perspective what the issues facing organisations are. Here is a break down of the 2016 Cyber Resilience Report. These numbers were researched and put together by Senior Communications Manager, Andrew Scott CBCI.


Business Continuity

As I mentioned last week, BDO had stated in their cyber awareness workshop that one organisation would receive on average 17,000 attacks in 2016. By 2020, this is going to cost companies a staggering $3 trillion USD.

Cyber Incidents


The frequency of these cyber incidents demonstrates why it is important for organizations to have plans in place to mitigate against these kind of threats, or to lessen their impact.

The Cyber Resilience Report, the result of a study conducted by the Business Continuity Institute and sponsored by Crises Control, found there was a wide range of response times for cyber incidents.

Response time to cyber attacks

This has clear implications for the time taken to return to business as usual, and the ultimate cost of the incident to the organization.

Even if organizations wish to respond immediately to a cyber attack, the nature of the attack may render them unable to do so.

phishing attacks

All these forms of attack will, in different ways, render an organization’s own network either contaminated or inoperable. An example of a company in New Zealand who a few years ago disappeared off the face of the earth reiterates this.

They had realised one afternoon someone was in their system, just sitting there waiting (which can be more worrying than if they’re actually attacking). The organisation took the first meaningful step and completely disconnected the whole business. 150,000 customers were contacted to change their passwords. Over two weeks the IT team rebuilt the company up from scratch. Confident that no hacker could get back into something completely rebuilt like this, they gained the stakeholders trust and invested millions into fixing this as soon as possible. On a Friday afternoon at 4:30pm, the business was ready to switch back on. Once they had, their CIO had been informed that the hacker was there again, waiting, back in the systems. His inevitable attack lead the company to loose a further couple of million dollars and send them to bankruptcy.

Costs of a cyber attack

David James-Brown FBCI, Chairman of the BCI, commented: “This piece of research is one of the most timely, insightful and relevant the BCI has ever produced. Cyber attacks tend to target the weakest links of an organisation, and this calls for a greater awareness of ‘cyber crime’. As the cyber threat evolves, it is crucial to stay on top of it, building long-term initiatives and regularly updating recovery plans.

Rickie Sehgal, Chairman of Crises Control, said: “Rapid communication with employees, customers and suppliers is vital for any company in terms of responding effectively to a major business disruption event such as a cyber attack. When your business is at risk, even a one hour delay in responding to an incident can be too long. Taking more than two hours to respond, as almost half of companies do, is just unacceptable.

RiskLogic offers a comprehensive training course on cyber resilience and how your organisation can remain prepared and secured for when an attack occurs. Our experienced and credible consultants are well prepared and ready to assist you in your cyber journey. Contact us now to arrange your obligation free consultation.

Read More
defence foce hacking ASD Alf
How The Defence Force Was Hacked

Written by Brad Law, Senior Manager, Resilience Services & Country Manager NZ & Ollie Law, Commercial Marketing Manager

Just over a year ago, I was sitting down to lunch with a client in Wellington. It was a rare, beautiful day with a nice buzz of students and frantic businessmen walking around us. We were about 300 metres away from the Beehive (Executive Wing of the New Zealand Parliament Buildings) and my client leant over to ask, “What do you think is the most likely and unlikely organisation to be hacked or targeted by cyber-terrorism?” After very minor thought, I concluded that anything to do with the Defence Force is not only a huge target for any budding hacker, but surely, it’s also the last place that would allow that to happen, right? Wrong!

As of Tuesday 10th October 2017, an Australian Defence Contractor has had highly commercially sensitive information on the build and design of new fighter jets, navy vessels, and surveillance aircraft stolen.

The Facts as we know them:

Dan Tehan, the minister in charge of cyber security, confirmed the hacking had taken place and was targeted towards an unknown contractor.

The hack itself took place over a few months, without any defence or internal networks picking up the attack.

24 hours after the news broke, Australian authorities researched and criticised the defence contractor for “sloppy admin” concluding that in fact, anybody could have penetrated the company’s network and that they were “surprised it hadn’t happened sooner”.

During the investigation of the hack, it was found that hackers had exploited a hole in the IT helpdesk portal where no staff member had updated the 12-month old vulnerability. Literally leaving a door wide open for even the most amateur of hackers to enter.

Furthermore, the Australian Signals Directorate (ASD) found that the contractor had not updated any of its key passwords and entry codes for any internet facing servers in many, many months.

It has recently emerged that the admin password used to enter the company’s web portal was ‘admin’ and the guest password was ‘guest’. An unbelievable fact in terms of the contractor’s field of work.

ASD incident response manager Mitchell Clarke told a conference in Sydney on Wednesday (11th October) the hackers targeted a small “mum and dad type business” — an aerospace engineering company with about 50 employees in July last year. This means the hackers were experienced enough to go through a third party/supply chain of the main contractors first, again exploiting a hole in the continuity of the whole program.

Clarke noted, “It included information on the (F-35) Joint Strike Fighter, C130 (Hercules aircraft), the P-8 Poseidon (surveillance aircraft), joint direct attack munition (JDAM smart bomb kits) and a few naval vessels.”

This particular firm has been confirmed as a fourth level contractor to the main Defence Force. This means the hackers could still get into the main information via a partner of the organisations – four levels down!

Why aren’t we learning?

Less than six months ago, the biggest cyber-attack to ever hit the internet occurred, WannaCry. The simple lesson learned from this should have been to update all networks, computers, and passwords. This can be done in a few hours depending on the size of your organisation.

If we break down the facts of this case, there are some key questions and discussions coming up:

  • The Defence Force should have had a plan in place for all associates of their organisation?
  • Why did no one check supply chain security, but are still blaming them?
  • The usernames and passwords were not adequate. This should have been noticed earlier.
  • How does a hack lasting nearly 12 months not get picked up?
  • Is the idea of a foreign state hacking a concern?

The answer to that last question is no. In fact, foreign state powers trying to hack each other has happened since the internet was first set live – it’s nothing new. The key question here is more about the order and control of their supply chain in the first place.

What might happen now?

Nothing is likely to happen. Like with most hacks, it’s an opportunity to boast how good you are at it. The most likely scenario now is a ransom put on the return of the information. Or, we may never hear about this again meaning it’s been taken higher.

The ASD, for now, has dubbed the hacker “ALF”, after a character in the TV soap opera Home and Away. At least they’re seeing the humorous side to all this!

Mr Clarke described the security breach as “sloppy admin” during his press conference. Most IT people could spot holes in the system, it’s the higher authorities who should have put checks in there in the first place.

What you need to do, right, now!

If you didn’t already do this in May following the WannaCry cyber-attack, go and ask your IT team when the last time they changed passwords.

You need to then check how up to date your security systems are.

Then most importantly, you need to get in touch with any third parties you’re associated with and your supply chain! As stated by Alastair MacGibbon the Special Adviser on cyber to the Prime Minister, on breakfast news, “this is a supply chain issue, not the Governments fault”. Sorry Alastair, you can’t blame your supply chain, the responsibility for a disruption remains with the company.

If, for example, you were an airline based in Australia, you will have hundreds of supply chain dependencies, even right down to the travel agent. There would be many websites and potential gateways to stay on top of. Starting to work these out and know what is what will maintain your resilience.

Your DRP (Disaster Recovery Plan) and ITDR need to be looked at, right now. Even if you looked at it last week, you need to double check it’s up to date and where it needs to be.

Coincidently, I’m about a day off finishing my article on the Auckland Fuel Crisis follow up. In this, I discuss contractors and how we often look to blame third party when something like this happens. In fact, your stakeholders aren’t going to do that, neither is the media.

We still don’t know officially who these contractors were, but we’re all happily blaming the resilience of the Defence Force here when really, many authorities and people are involved.


I will be following up this story as it progresses as I believe it as being a huge eye opener for Australian and New Zealand organisations.

RiskLogic specialise in modules around Business Continuity for your supply chain. We’ve been doing it for over a decade. As well as this, we have industry leading cybersecurity modules & plans for all types of organisations. Our senior consultants and trainers live and breathe this daily across Australia & New Zealand. If you’re concerned about possible holes in your supply chain or cyber-security, give us a call now, obligation free.

Until then, plan, do, check & act…

Read More
1 2 3 5